Skip to Content
Author's profile photo Yogesh Patel

Java: SSO made easy by SAML 2.0 with ADFS

Recently I wrote blog about Fiori Launchpad: SSO made easy by SAML 2.0 with ADFS On same blog there was questions regarding JAVA SSO with SAML 2.0. I have seen so many documents regarding configuration of JAVA SAML but none of them I have found as recent with updated version of SAP NetWeaver.

I suddenly decided to write something on it and give an Idea to community that how can they achieve this. Keep in mind that SAML in ABAP and JAVA is almost same configuration and I am going to give an overview of it how to do it in Java system. For some of the steps I am going to refer you to look in my Fiori Launchpad: SSO made easy by SAML 2.0 with ADFS document. Hope this will help everyone to configure SAML for JAVA

Matt Fraser also discussed on this Fiori Launchpad: SSO made easy by SAML 2.0 with ADFS about SPNego on JAVA and this can be found at : Single Sign-On for Java with SPNego

Where to start?

Open Netweaver Administration screen on your java system http/s://host:port/nwa and navigate to Configuration >> Security >> Authentication and Single Sign-On >> SAML 2.0

Enable SAML 2.0 Support

Local Provider configuration

Provider name is your FQHN of system

On this screen click Browse button on Signing Key Pair

Press Create button

Create Key storage by continuing on screen

 

 

 

 

Continue on next screen

Click on Finish

Trusted providers Configuration

Change your tab within SAML 2.0 screen to Trusted Providers and select Add >> Specify Metadata URL

URL : https://fqdn of ADFS/FederationMetadata/2007-06/FederationMetadata.xml

Note: In ABAP system you need to provide XML file but in JAVA you can select URL of XML file

On this screen deselect Verify option and continue

Provide signed certificate

Note: How to create certificate look in to Fiori Launchpad:SSO made easy by SAML 2.0 with ADFS Section : Trusted Provider (Note getting certificate)

Provide Name and continue

Now continue on all steps with default settings till end of the wizard.

Now go to trusted provider Identity Federation tab and add Name ID Format (In my case username)

Now make sure you enable configuration and after download Local Provider Metadata.

Note: If your XML file get blank, restart both Local Provider and Trusted Provider.

 

Add Relying Party Trust

In order to configure this follow steps under Configure ADFS section on Fiori Launchpad: SSO made easy by SAML 2.0 with ADFS

Now test your configuration If your configuration not work please check below settings on Components >> ticket

SAML2LoginModule is at the top of the list.

 

Thank you for reading

Yogesh

 

Assigned Tags

      4 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo George Dilip
      George Dilip

      Hi Yogesh,

      First off, thanks for the well documented steps for both JAVA and Fiori Launchpad SAML2 configuration with ADFS.

      I have a scenario to configure SSO for Fiori and EP where the AD user IDs are completely different from the SAP user ids. Also the AD users are from three different domains.

      And after going through various documents and your blog, what I understood is that the basic configuration remains same, but the claim configuration at ADFS side and SAP side will need to be configured accordingly. Could you please confirm if my understanding is correct and also what attributes I can use to attain SSO for EP and Fiori.

       

      Regards,

      Harsh

       

      Author's profile photo shoeb Syed
      shoeb Syed

      Hello Yogesh,

      Thanks for the doc. Helped me solve the issue.

      Regards,

      Shoeb

      Author's profile photo Javier Iribarne
      Javier Iribarne

      Hello, Yogesh

      Thanks for this post, but how can it be configurated SAML2 in case to have a server with 2 SAP systems (one ABAP and another JAVA), (typical case for BI)?

      Once we have configured SAML of the ABAP part, we get an error in the configuration of the JAVA part, specifically in the ADFS:

      "Error AD / FS Management: An error occurred when trying to access the configuration database of AD FS: Error message MSIS7612: Each identifier for a trusted trust must be unique in all trusts trusted by the AD FS configuration "

      In our case, both URLs (ABAP and JAVA) are using the same hostname. We tried to change the field "Name of the provider" in the SAML configuration of the JAVA system and download the metadata again. In this way, ADFS accepted the metadata file, but the SSO does not work.

      Any suggestions for this case? Thanks and regards

      Javier

      Author's profile photo Joe Jow
      Joe Jow

      Hello, Yogesh

      Try to configure Solution manager 7.2 JAVA host. For the step General Settings -> Signing Key Pair to create a Key Store (if I'm right), but local host cert has been configured such that no need a new cert for ADFS. Company security policy does not allow internal SAP systems by using untrusted cert (self generate). Any comment?

      Thanks,

      Joe